It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the "PCI Compliance" page of our website: https://www.cs-cart....compliance.html

It is the one of CS-Cart system requirements that mod_security should be disabled on the server for proper work of CS-Cart. So we strongly recommend you disable mod_security on your server. Note that you should not worry about disabling it as long as CS-Cart is designed to meet the latest security requirements. For more information please visit the "PCI Compliance" page of our website: https://www.cs-cart....compliance.html

---Pavel ZyukinCS-Cart Support team

I strongly suggest that it is ENABLED at all times. The ability to use CS-Cart is null if the server isn't protected in any case. These type of suggestions will have your users disadvantaged overtime.

J.

I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.

We revised our attitude to this module recently and we decided to investigate it in more detail so that it should not be disabled on the server and we can provide necessary settings for this module. Our engineers are working on increasing compatibility of CS-Cart with mod_security at the moment. We will provide detailed information about what settings should be enabled/disabled for this module on the server when it is done.

We have tested CS-Cart with these requirements and it worked successfully without any problems. Also please let me add that the architecture of the current CS-Cart version (3.0.1) has changed to make CS-Cart more compatible with mod_security by default.

We installed Mod_Security on our server with version 4.2.3 in an effort to stop/slow down the attacks or garbage bots but we still seem to have an issue. There are "some" products that we are unable to change and save without getting the 404 "Well Shucks" message. We also installed the "ConfigServer ModSecurity Control" and we Whitelisted all of the suggested rules. Has anyone ran in to any other rulesets that need to be added/Whitelisted with version 4 of CS?

So far I cannot seem to find where CS-Cart has given a final answer on using Mod_Security and all they seem to do in their instructions is give information on how to totally disable it...which kind of defeats the purpose.

That goes double if you run other applications within your domain, such as WordPress, etc..

Tripply [Editor's note - this is not a real word.. ] - if you run a VPS or Dedicated Server or even shared for that matter and care whether your site can get shut down by the host when you become compromised.

Quadru--. well, you get the point.

Most merchants/businesses do not fully understand the level of care they are supposed to take with their customers data. We do A LOT of hack recover across all systems. CS Cart has been fairly secure compared to other carts we deal with .. but it is important to remember that all systems have problems over time.

Regardless, we'd never drop mod_security for any reason...

They two rulesets that seem to have the most problems with CS-Cart (and Magento, add Zen Cart and so on ... ) are:

PCRE record limits exceeded - you can increase this 5000% fairly safely if your server has other ways of limiting flood attacks and POST.

"Generic" SQL injection match rules - these are the silly rules that will filter or 500 error content with words like "Select" "Delete" "join" etc.

Proper form programming, which CS Cart does have .. should never have to rely on the filter.

Let some half-wit programmer do some custom forms for you .. then yes...

We're happy to help anyone's VPS or dedicated systems if need some professional assistance.

Hmm, we always have problems saving content on our CSCart websites.
What we do is temporawell what we do is temporarily disable ModSec with "SecFilterScanPOST Off"
This is fine, as long as we remember to comment the line out when finished.
It would be great to have some linux script that ran from Cron Job every 30 min or so to relpace the line
"SecFilterScanPOST Off" with "# SecFilterScanPOST Off"
Sadly, thats a bit beyond my skills.
I welcome comments regarding this approach, and indeed a script to do the job...

I am installing V432 and it is requiring I disable mod_security. Clearly i do not want that disabled. What do i need to do? I cannot install. It just stays on install screen and the only error is The mod_security module was detected on your server. It may cause "403 Forbidden" and "Not Acceptable" errors, so it is recommended to disable it.

My apologies for bumping this old thread - I would appreciate help and views on a related problem.

We are using cs-cart V 2.1.3 on PHP 5.3.29. We were on wiredtree till now, with mod_security enabled. Recently wiredtree sold to liquidweb, and so we moved to liquidweb, retaining the PHP version. New server was CENTOS 6 with Easy Apache 3 and Litespeed.

After the move, In general, the site loads fast, and we could not uncover any issues in our own testing. However, we realized that at times we would get 500 server error, and our IP would be blocked.

We became concerned that genuine customers should not be facing this issue (server 500 error, and IP block), leading to loss of sale.

I have got the modsec2.user.conf , exclude.csf, whitelist.csf and modsec_audit.log files from the NEW server.

Is it possible to get these analyzed to see if there are some rules which should be whitelisted? I did contact cs-cart support, and they kindly gave a advisory file with recommendations, but I am more concerned with auditing and analysing the rules already in place, in case any of them are creating conflicts.

I saw MAXAM's post above, but could not locate these rules anywhere in the modsec2.user.conf file

We've fixed a few WireTree to Liquidweb issues like this... 2 different CS-Cart builds no less.

What does your 500 error actually say? On liquidweb it in /usr/local/apache/logs and then the individual log for your server...

1) There was a lot of permissions issues on the migration we found. If you have already normalized permissions ... then move on to ..

2) You should disable the Mod_Sec entry in Configserver firewall for the itme being. There's too many problems that come up when you run PHP 5.3 (old) and the older version of CSCart. You'll wind up blocking a lot of users. Otherwise, make the value larger than the 5 default. One page load can trigger 5 hits all at once.